Cyber Insurance professionals will often need to assess the policy-readiness of their clients by examining their current cyber hygiene management according to a set of minimum requirements. The Cyber Insurance Academy has interviewed our community members, comprising industry experts at some of the leading cyber insurance companies around the globe, to get their insights on the top best practices that will secure a place in the insurers’ good books.
Zero-Trust Models and Minimum Requirements
As the name suggests, the Zero-Trust framework works on the basis that no activity of an organizational network is immune from thorough, ongoing security checks. In practice, it is a security approach that requires all users of an organization’s network and third-party providers with continuous access to the network, to be authenticated and authorized on an ongoing basis for security posture before being granted access to applications and data.
The security model is particularly useful for securing remote networks, hybrid cloud environments, and ransomware threats and therefore meets many of the needs of modern businesses operating in a post-pandemic world. It particularly suits current working environments as, if vetted correctly, high-risk network users can continue to access key applications and software remotely without increasing cyber risks.
So what cyber security best practices should cyber insurers be on the hunt for when assessing their insureds’ risk? We’ve compiled a list of the minimum benchmark requirements demanded by most cyber insurers today.
The Key Minimum Requirements In the Cyber Insurance Industry
Endpoint Detection & Response (EDR) implemented on all endpoints
Endpoints include laptops, desktops, mobile phones, tablets, servers, and virtual environments – they are devices that sit literally on the end of a network. Attackers can exploit vulnerabilities in such endpoints and use them as entry points to install malware and move laterally across a network. Endpoints can be protected from these attacks through a variety of solutions.
The best-known endpoint security solution is antivirus software (“AV”). AV is programmed to detect known types of malware that have been “blacklisted”. However, with cybercrime sophistication rapidly and constantly evolving, AV is struggling to keep up – it is based on the outdated assumption that the malware you saw yesterday will look the same today. It, therefore, had to evolve to tackle today’s cyber climate effectively.
Enter EDR – a cyber security software that is designed to continually monitor, discover, investigate and respond to advanced threats against endpoint devices. Insurers are now requiring the use of EDR technologies as part of a business’ Incident Response (IR) for all those applying for cyber insurance because it provides better visibility over endpoints and can address broader attack campaigns stretching across multiple endpoints.
The Cyber Insurance Academy recently hosted an EDR and Incident Response Masterclass, which you can watch on-demand here.
Multi-Factor Authentication (MFA) is implemented and required for all remote access
MFA has become a hard and fast favorite featured in most minimum requirements. It takes a multi-lock approach to user access to business systems: it combines two or more different methods of authentication – such as a thumbprint or a unique code texted to the individual user – to provide greater security when proving the identities of users trying to access their accounts. Many organizations now require MFA to establish a connection to their network from outside the office and protect the end-user in case their credentials get compromised.
Often this method will require a combination of the following: something you are (such as an iris scan or fingerprint), something you know (such as a password), and something you have (such as a one-time token). Insurance professionals should be looking out for MFA use across business email accounts and other key business applications as this technique will prevent malicious actors from accessing a business network.
Backup Procedures, Offline Backup, or Alternative Backup Solutions
In the age of ransomware, insurers are quickly realizing that a good backup can significantly reduce business interruption and extortion demands in the event of an attack. As a result, most businesses will need to meet certain backup standards in order to qualify for a policy – let alone to reduce their premiums.
For cloud backups, malware scanning, encryption, segmentation (isolating backups from other parts of the network in order to prevent a domino effect of a single adversarial attack), and MFA are commonly required by insurers. When it comes to a business’s most sensitive applications, insurers are likely to require these to be offline, immutable (the data remains fixed, unchanging, and unable to be deleted), and clearly cataloged through audits (so that organizations can clearly identify where these critical backup is sitting). The company’s crown jewels, and its data, should be treated with particular care in a highly secure environment.
Ensure the backup data is isolated from other enterprise services to protect the backups from being impacted by adversary attacks.
Identity and Access Management (IAM) for ad-hoc privileges and restricted network access
IAM applies sets of rules and policies to track and control user activity. The extent to which these activities can be supervised will depend on the specific technologies employed by a business. For example, it will monitor successful and failed login attempts, determine access rights, and grant administrating privileges to users on an as-needed basis.
These management techniques minimize the potential attack surface, it also decreases the impact of a breach, and prevents cyber risks such as insider threats, misconfigured automation, and accidental operator error in production environments.
Privileged Access Management (PAM) to monitor accounts with privileged access
This is a subset of IAM that acts as a gatekeeper, maintaining control and visibility over the most critical systems and data. It will both enable access to critical resources and privileged information and audit the activity of privileged users in the event of a security incident. PAM helps businesses to minimize the risk of hacking privileged accounts (often a favorite target of threat actors). It should also be noted that PAM is not just a popular requirement of insurers, it is often needed for compliance with many legislative frameworks for privacy and data protection.
Good Patch Management
This is particularly relevant for critical patches and can include regularly installing patch updates, mapping out an inventory of the current operating systems on a regular basis, and keeping a list of all security controls (such as firewalls, antivirus software, EDR technologies, and so on) within an organization, classifying risks and prioritizing critical assets, and testing and applying patches on a regular basis.
Insurers will be reviewing a business’s patch management in order to ascertain the extent to which its assets are low-hanging fruit for cyberattackers.
Historically, cyber liability insurance renewal applications have been a straightforward experience for brokers and their clients, with only a minimal amount of information required. That has changed dramatically in recent years as cyber attacks have evolved and will continue to evolve, in frequency, severity, and sophistication. Cyber insurance specialists will increasingly find that up-to-date knowledge of the latest underwriting trends and the most innovative cyber security tools will be imperative to survive in this fast-paced, competitive environment.
Interested to learn more about the latest developments in cyber insurance? Visit our course catalog for more information on our cyber insurance training.
